One client of ours has an idea for a project leveraging the twitter API. He wants users to log in using twitter credentials, but wants to onboard them without logging in with the first interactions.

Basically, users would arrive on the site and search for a keyword right away without logging in. We figured that app-only tokens are not usable here because they are so low; and we figured that at this stage we could use another user’s token for this first search to show some results to the logged out user and entice him to login as well.

would doing this (using a user’s token to serve a logged out user) accepted within the ToS of the rest API?

Our logic is that is we have 100’s of user keys we might as well use them to get even more uses on board.

No, this is not an acceptable way of using tokens - for one thing, a user’s tokens has access to that user’s own data, and it is inappropriate to essentially pass it on to another user for privacy reasons. The developer policy (I.2.g) clearly states that you shouldn’t attempt to circumvent rate limits etc.

Thanks for the answer. To be more specific; it would not be passing it to another user. It would be answering a query (ie. making a search) by leveraging an existing token in order to have the logged out user see some results without logging in.